Local intranet http web servers not accessible after Firefox update to newer version
On Windows 10 with 64-bit Firefox, after updating from version 144 to 145, some local HTTP-only servers stopped working and became inaccessible. When I enter http://<local server name>, after a few seconds it automatically changes to https://<local server name>, and since no HTTPS service is running, it ends with a “Server not found” page. It seems to be related to DNS — accessing http://<IP address> works fine.
I tried a clean installation with a new user profile, but it didn’t help. Downgrading to version 144 fixes the problem, but at the cost of losing the user profile (which is a disaster). I also tried to check the HTTP-only settings (which I’ve never modified), but that didn’t help either.
Is anyone else experiencing the same issue?
Τροποποιήθηκε στις από τον/την lstefek
Επιλεγμένη λύση
Issue explained. It turned out that the root cause was Firefox’s internal HSTS preload list, which most likely originates from the global HSTS list maintained at hstspreload.org.
Our website on a second-level domain had been mistakenly configured to return the following HTTP header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Over time, this caused the domain (and its subdomains) to be included in the HSTS preload list. As a result, Firefox now automatically upgrades all requests to HTTPS for these hostnames using an internal redirect (HTTP 307), even if only HTTP is explicitly requested.
That explains why http://<local server name> is silently rewritten to https://<local server name>, while accessing the service via a raw IP address continues to work.
More information can be found here: HTTP_Strict_Transport_Security_(HSTS)_Preload_List
Προβολή απάντησης εντός συζήτησης 👍 0Όλες οι απαντήσεις (2)
Επιλεγμένη λύση
Issue explained. It turned out that the root cause was Firefox’s internal HSTS preload list, which most likely originates from the global HSTS list maintained at hstspreload.org.
Our website on a second-level domain had been mistakenly configured to return the following HTTP header:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Over time, this caused the domain (and its subdomains) to be included in the HSTS preload list. As a result, Firefox now automatically upgrades all requests to HTTPS for these hostnames using an internal redirect (HTTP 307), even if only HTTP is explicitly requested.
That explains why http://<local server name> is silently rewritten to https://<local server name>, while accessing the service via a raw IP address continues to work.
More information can be found here: HTTP_Strict_Transport_Security_(HSTS)_Preload_List
Τροποποιήθηκε στις από τον/την lstefek
So, Firefox 145 just received our domain in the list and behaves accordingly. Now, we have to change at least "preload" directive on our web server, post request for removal from hstspreload.org and wait....
Τροποποιήθηκε στις από τον/την lstefek
Πρέπει να συνδεθείτε στον λογαριασμό σας για να απαντήσετε σε δημοσιεύσεις. Ξεκινήστε μια νέα ερώτηση εάν δεν διαθέτετε ακόμα λογαριασμό.